Inside the office of the student technical support group REACH sits an unlocked filing cabinet containing hundreds of customer support forms. On many of these documents, students have written their passwords when bringing their computer to REACH for help-the same passwords that could be used to access email accounts, student records, and enough personal information to reap identity havoc.
The situation, an apparent violation of the College's own information technology policy, was revealed to the Orient by a REACH employee who spoke on the condition of anonymity.
"I feel that students deserve the right to know that their privacy is not secure," the employee said.
At issue is both a REACH procedure, and sources say, an overarching problem about system-wide passwords that is out of REACH's control. When a student brings a computer to REACH for technical assistance, he or she is asked to fill out a form providing contact information and the nature of their support request. One field on the form is for the student's network password.
According to the employee, REACH workers may tell the student that the password field is required. Another employee, Joseph Adu '07, said that he would look at the problem and tell the student whether or not to write down his or her password.
"You can't always trust people to tell you what's wrong with their computer," Adu said. That's why, he said, it is usually safer to have the password in case network logon is required while servicing computers.
These forms are then kept in an unlocked filing cabinet. The cabinet kept in the office is also unlocked during business hours. The employee who revealed the situation said that forms are stored in the cabinet even after a student's support situation is resolved, estimating the number of forms-and passwords-"in the hundreds." REACH student manager Erik Schneebeck '04 said that the forms are kept for the semester and then are stored by IT.
The employee who came forward said that when seeing the passwords of acquaintances, it is hard not to remember them. "Sometimes as much as you try, you don't forget the password," the employee said.
The employee's greatest concern is not misuse of email by REACH employees or access to campus computers, but potential access to Bearings, the student records information system. Bearings, launched earlier this year, uses a student's Bowdoin username and password-the same password that a student writes down when requesting technical support.
Bearings holds student academic information, along with a student's personal information, including his or her Social Security number, addresses, and birthday. The employee feared that easy access to student passwords in the REACH office could be used to access these items. Social Security numbers, along with the other identifying information, could then be used for identity theft or other illicit purposes.
The Federal Trade Commission (FTC) recommends that before divulging a Social Security number, citizens should ask institutions what they do to protect the numbers. The FTC announced last September that there had been nearly 10 million cases of identity theft in America in the previous year alone.
REACH manager Schneebeck was skeptical when asked if the system posed a security threat. "I don't really feel that it would be a big concern," he said. "We feel that the people who work here are fairly good-natured about this."
Adu said that information is never totally safe. "Just to put things in perspective, if someone wanted to get you, they'd get you no matter what security measures you put in place," Adu said.
Adu, citing the need to have passwords available to support technicians, recommended that the situation be resolved by implementing a system where a different password could be used for web portals like Bearings that contain sensitive information.
The current situation conflicts with College policy. According to section 3.6 of the Information Technology Use Policy, "The College implements 'industry-standard' practices concerning the security of the College's IT resources." Chief Technology Officer Mitch Davis said that the current system is not aligned with industry-standard practices.
Section 3.4 of the same policy also says, "The system of accounts, passwords, and user IDs plays an important role in protecting the files and privacy of all users."
The policy also notes the danger of allowing others to use another students's network credentials, and says, "If criminal activity can be traced to a user's account, the person to whom the account is assigned will likely be held accountable." A student's network logon can be used to access public computers throughout campus.
Access to student records is also governed by the Federal Education and Privacy Rights Act (FERPA). Under the legislation, students must provide written consent before a school may release personal information to other individuals. Much of the information protected by FERPA can be found in Bearings.
The REACH employees and Davis suggested that students who are immediately worried about the safety of their privacy can increase their security by changing their password at http://mymail.bowdoin.edu.
"If people would just change their passwords, that would eliminate any security concerns they have," Schneebeck said. "It's a good idea to do that every few months anyway."
The manager also said that REACH welcomes student comments. "We are dedicated to the best possible service we can have," Schneebeck said.
With the security threat made public today, changes are on the way. After being contacted by the Orient for this article, the department said it plans to alter the password storage system. "It will be fixed within the next week," Davis said late Thursday.
Davis said that an outside source recently completed a system-wide security review of the College's IT resources, and found many areas that need improvement. "This summer we will be making a lot more [changes]," he said.